Sunday, June 26, 2016

Mobile Application Testing

Technology is
evolving faster by the day. Today, we see mobiles are no longer mobiles, they
are small computers. The smartphones run powerful applications, providing
everything to users at their fingertips. Users can use their mobiles for:

Logging
in to banks in order to transfer funds

Purchasing
or selling shares via trading portals

Booking
travel or movie tickets

Tweeting
or social networking

Donating
to charity

As money
transactions move to mobiles, hackers also move their attention to it. Hence,
as a precautionary measure, securing mobile applications becomes important.
This article introduces you to the three key aspects of securing mobile
applications.

Mobile applications
may be a -

web
application accessed via a WAP browser.

thick
client application sending out an HTTP request or an SMS.

Security testers
should broadly focus on the following categories while analyzing their test
cases -

Local
Storage of Data

Hard-coded
Sensitive Data in the Source Code

Data
in Transition

Let us further
discuss these categories in detail from a security tester’s perspective.

Local Storage of Data

The local storage
of data can also be referred to as a “Handset Memory Analysis” for mobiles.

Mobile applications
store data in the local memory of a handset. This data is stored by developers
in files locally and is used by the application.

The
Android OS stores data in files at runtime, but due to its native sand-boxing
mechanism, obtaining access to this data is difficult. It also stores some data
in the SQLite database.

The
Apple iOS stores sensitive information like keystrokes, snapshots and other
cached information in the iPhone local memory in the form of client-side SQLite
databases or .plist files.

The
Java application in Nokia phones stores it in the form of RMS files. These RMS
(Record Management System) files get stored permanently and are easily
accessible. Sometimes, they are easily readable when connected to a PC via a
data cable. These files have a history of containing sensitive information like
bank account numbers, beneficiary details or registered biller(s) auto-pay
details.

A security tester needs
to conduct a Handset Memory Analysis to detect sensitive information stored in
the device.

A mobile
application should not store sensitive data in user handsets. If at all it is
necessary to store some data, it should be stored in a secure manner using
strong encryption algorithms. It can further be stored at non-reachable
locations with strict permissions.

Hard-coded Sensitive Data in the Source Code

Applications are
also known to comprise hard-coded data in the source code. We may come across
various types of sensitive data like –

payment
gateways hard-coding the credentials

applications
hard-coding the server and application-specific details

developer
names & comments explaining the code pieces

Reverse-engineer
the source code to obtain readable code files. This would ultimately help
discover hard-coded data. It would also help reveal the application logic.

Android
packages the application in .apk files, which have to be reverse-engineered to
.dex files and then to readable class files.

Other
.jar files can be simply renamed to .rar and extracted by WinRAR software. This
results in decompiled class files that can be read using text editors.

A security tester
has to decompile the application code in order to detect sensitive data or
hard-coded information.

A mobile
application should not hard-code sensitive data in the client-side code.

Data in Transition

Another aspect of
mobile usage is the communication channel. Data in transit may be vulnerable to
sniffing or manipulation. The data in transit can be tampered or stolen to –

obtain
access to other user accounts.

transfer
funds from other accounts.

sell
shares of other users in order to create a nuisance.

conduct
social engineering.

During a security
test, the tester should analyze the data in transition. The HTTP traffic in
mobile networks can be intercepted via a proxy editor tool. Here, the security
tester can execute targeted manipulation attacks in order to test the
application’s resilience against such attacks.

Mobile applications
should thus implement server-side validation to prevent data manipulation in
transit. Strong SSL encryption should also be implemented to protect data in
transit.

Conclusion

There may be
various dimensions to mobile application attacks. This article attempts to
focus on three key aspects of the mobile security testing domain. Most of the
tests revolve around these three aspects. OWASP and other known security forums
periodically release guidelines for securing mobile applications. All these
guidelines should be diligently followed by developers and included in the
detection armory by a security tester.

17 comments:

Thank you for the look into mobile application security testing, ! In forums I've participated in, users often say application security testing is not necessary because developers should have made their applications secure in the first place.static application security testing sast

You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Mobile App Development Company

Try this Vender app! Vender is a mobile application that lets you manage your leads and tasks in 1 app. Communicate and Log Your Activities, get Things Done, backup and Sync All Your Devices and decide Better with Visual Reports

A writer should always try to keep its writing very simple and clear. Always use facts which are easily acceptable by general people because they are very close to their assumptions and they welcome such kind of facts.ทำ Wordpress

Thanks for aware us about the Important of Mobile application security I also want to add some important points here that can help you to get secure android app:1. SSL implementation check2. Sensitive information management at client side3. Code obfuscation4. Obsolete cryptographic libraries identification5. Validation checks at both client side and server side6. Input sanitisation7. Encode and decode8. Implement checksums and tokens9. Secure response headers10. Authorisation testingRead More: http://blog.entersoftsecurity.com/home/2016/9/21/entersoft-essentials-security-guidelines-to-secure-your-android-app

Nice blog – very informative. Subject well covered. As you have stated, securing mobile applications as well as the mobile devices is very important. Mobiles are used for personal purposes as well as for business purposes. When the same mobile is used for both, then ensuring security is important. This is when mobile device management software comes into play. Suggest you to give a good piece (as this one) on MDM.